b'\x0c\x0c\x0c                                       STRATEGIC CHALLENGES FOR\n                                      GSA\xe2\x80\x99S COMPREHENSIVE HUMAN\n                                  RESOURCES INTEGRATED SYSTEM (CHRIS)\n                                    REPORT NUMBER A040142/O/T/F05025\n\n\n                                                     TABLE OF CONTENTS\n\n                                                                                                                               PAGE\n\nEXECUTIVE SUMMARY ..............................................................................................i\n\n  Purpose ..........................................................................................................................i\n\n  Background....................................................................................................................i\n\n  Results-in-Brief .............................................................................................................i\n\n  Recommendations .........................................................................................................ii\n\n  Management Response ..................................................................................................iii\n\nINTRODUCTION ............................................................................................................1\n\n  Objectives, Scope, and Methodology ............................................................................1\n\nRESULTS OF AUDIT......................................................................................................3\n\n  Some System Requirements May Not Be Fully Realized with CHRIS ........................3\n\n  Expected Benefits Not Realized for CHRIS Due to Insufficient Customer Base .........5\n\n  Improved System Security Controls Needed ................................................................8\n\n      Key Components of Security Have Not Been Addressed with Certification and\n      Accreditation of System Controls.............................................................................8\n\n      Background Checks for Contractors Not Completed ...............................................9\n\n      Improvements Needed in Oracle Database Security.................................................9\n\n  Recommendations ........................................................................................................10\n\n  Management Response .................................................................................................11\n\n  Internal Controls...........................................................................................................11\n\x0c                                                     APPENDICES\n\nKEY EVENTS IN CHRIS LIFECYCLE ........................................................................A-1\n\nGSA CPO\xe2\x80\x99s RESPONSE TO DRAFT AUDIT REPORT...............................................B-1\n\nREPORT DISTRIBUTION .............................................................................................C-1\n\x0c                            STRATEGIC CHALLENGES FOR\n                           GSA\xe2\x80\x99S COMPREHENSIVE HUMAN\n                       RESOURCES INTEGRATED SYSTEM (CHRIS)\n                         REPORT NUMBER A040142/O/T/F05025\n\n                                   EXECUTIVE SUMMARY\n\nPurpose\nThe General Services Administration\xe2\x80\x99s (GSA) Comprehensive Human Resources Integrated\nSystem (CHRIS) is a web-based Human Resources (HR) Information Technology (IT) system\nbased on the Oracle Federal HR commercial-off-the-shelf product and customized to support a\nrange of HR and reporting functions intended to meet the needs of GSA and its customers. Our\noverall audit objectives were to determine whether: (1) GSA\xe2\x80\x99s CHRIS provides the needed\nfunctionality, security, and other controls for system operations to ensure the data\xe2\x80\x99s integrity and\nreliability; (2) the Office of the Chief People Officer (OCPO) has processes in place to improve\nsystem functionality and usability; and (3) CHRIS is financially beneficial to GSA. If not, what\nactions are needed to improve CHRIS?\n\nBackground\n\nThe CHRIS solution was first deployed through a client-server environment in August 2000 to\nprovide HR systems support to GSA employees and approximately 8,600 external customers\nfrom the National Archives and Records Administration, the Equal Employment Opportunity\nCommission, the National Credit Union Administration, and Presidential Boards and\nCommissions that were previously supported by the legacy Personnel Information Resources\nSystem. While GSA\'s OCPO had the immediate requirement to service its own employees and\nexisting customers with CHRIS, the growth of cross-servicing revenues became part of the\norganization\'s mission. In December 2001, the OCPO implemented new technology to provide\nweb-based access to the CHRIS system over GSA\'s network. In September 2004 the OCPO\nprovided all GSA employees with web-based electronic access to their own personal information\nwithin CHRIS. A timeline of key events relating to CHRIS is provided in Appendix A-1.\n\nResults-in-Brief\n\nCHRIS was deployed by the OCPO to provide important online capabilities and improve GSA and\nother Federal organizations\xe2\x80\x99 processes for human resources. Though the original intent for CHRIS\nwas to provide a comprehensive, integrated HR system, GSA\xe2\x80\x99s strategic efforts with the system\nhave been impeded by user reluctance to use the system and the availability of duplicative system\nfunctionality provided by other GSA systems. Since the system was introduced in August 2000 a\npost-implementation review to fully assess how well the system is meeting user requirements has\nnot been completed. As a result, some requirements for the HR system such as those established by\nthe Joint Financial Management Improvement Program may not be adequately supported with\nCHRIS. With a changing environment driven by the Human Resources Information System (HRIS)\ncomponent of e-Government, GSA has also faced challenges in marketing CHRIS. Due to an\ninsufficient customer base, CHRIS is not recovering costs or the revenue originally expected.\nSystem lifecycle costs have increased from an initial estimate of $34 million to an estimated $54\n\n\n                                                 i\n\x0cmillion without a projected quantifiable recovery of investment. With ongoing decisions regarding\nthe selection of HR Line of Business systems, GSA must make critical management decisions\nregarding the future of CHRIS, including whether to: (1) retain the system and expand the customer\nbase to offset costs; (2) offer CHRIS as a service provider under HRIS; or (3) sell CHRIS and\ndiscontinue GSA\xe2\x80\x99s management role with the system. Several areas of system security risk that\ncould lead to system vulnerabilities or unnecessary risk were assessed through our FY 2004 review\nof GSA\xe2\x80\x99s IT Security Program required by the Federal Information Security Management Act. Key\nsecurity components for CHRIS have not been fully addressed including the certification and\naccreditation of system controls and completion of required security documents. Background\nchecks for contractors with access to CHRIS are also needed. During our review we also identified\ntechnical control vulnerabilities for the CHRIS Oracle database that, if exploited, may compromise\nthe confidentiality, integrity, and availability of the system1. Specific steps taken at this critical\njuncture could better ensure that GSA\xe2\x80\x99s strategic business objectives and all user needs are met with\nthe CHRIS system.\n\nRecommendations\n\nWe recommend that the GSA Chief People Officer:\n\n    (1) Conduct a post-implementation review in accordance with the Office of Management and\n        Budget\xe2\x80\x99s Circular A-130 and GSA\xe2\x80\x99s August 2002 IT Capital Planning And Investment\n        Guide, to:\n        a. Validate estimated benefits and costs for CHRIS;\n        b. Evaluate CHRIS to ensure positive return on investment; and\n        c. Ensure that the system meets organizational and user needs.\n\n    (2) Complete an alternatives analysis to fully consider the costs and benefits for the options\n        of:\n        a. Keeping the system and expanding the customer base to offset costs; or\n        b. Offering CHRIS as a service provider under HRIS; or\n        c. Selling the system and discontinuing GSA\xe2\x80\x99s management role with CHRIS.\n\n    (3) Ensure that adequate security controls are in place to manage risks with CHRIS by:\n        a. Completing the system certification and accreditation process for CHRIS including\n           updating required system security documentation.\n        b. Prioritizing necessary background checks for contractor staff as required by the GSA\n           IT Security Policy and implementing compensating controls until this process is\n           completed.\n        c. Carefully assessing the Oracle database vulnerabilities and applying technical\n           solutions to reduce associated risks.\n\n\n\n\n1\n Specific results for our review of the CHRIS Oracle database were provided separately to the OCPO on July 20,\n2005, due to the sensitive nature of the information reported.\n\n\n                                                       ii\n\x0cManagement Response\n\nWe met with the Chief People Officer (CPO) and Office of the Chief People Officer (OCPO)\npersonnel to discuss the results of our review and to identify any areas in the draft report that\nmay require revisions. They generally concurred with the findings and two of the three\nrecommendations as presented in the report. Written comments provided by the CPO indicate\nthat OCPO will take actions aimed at addressing the identified areas of risk in the report.\nSpecifically, they identified ongoing or planned management actions toward: (1) conducting a\nformal post-implementation review for CHRIS to better assess whether the system effectively\nand efficiently meets user needs as well as JFMIP and HR system requirements, and (2)\ncontinuing to enhance CHRIS security controls including another system certification and\naccreditation and completing background checks on contractors.\n\nThe CPO did not agree with the recommendation to complete an alternatives analysis to fully\nconsider the costs and benefits for the options of: (1) keeping the system and expanding the\ncustomer base to offset costs; or (2) offering CHRIS as a service provider under HRIS; or (3)\nselling the system and discontinuing GSA\xe2\x80\x99s management role with CHRIS. The CPO stated \xe2\x80\x9can\nanalysis was completed in 2003 and in 2005 the Office of the CPO and the Office of the Chief\nFinancial Officer (CFO) decided that it would be in GSA\xe2\x80\x99s best interest to offer CHRIS and the\nPayroll Accounting Reporting (PAR) system, in combination, as the core of an HR Line of\nBusiness (LoB) Shared Service Center solution. A business case (OMB Exhibit 300) was\nsubmitted to OMB earlier this month as part of the FY 2007 budget formulation process. The\noffices of the CPO and CFO will work together to develop a more complete business model to\nsupport this plan.\xe2\x80\x9d While the decision to continue CHRIS as a service provider under HRIS is an\noption that we recommended be considered, a more complete business model should clarify how\nalternatives were considered.\n\nA copy of the management comments is provided in its entirety in Appendix B.\n\n\n\n\n                                               iii\n\x0c                            STRATEGIC CHALLENGES FOR\n                           GSA\xe2\x80\x99S COMPREHENSIVE HUMAN\n                       RESOURCES INTEGRATED SYSTEM (CHRIS)\n                         REPORT NUMBER A040142/O/T/F05025\n\n                                       INTRODUCTION\n\nThe Comprehensive Human Resources Integrated System (CHRIS), a tool used by the General\nServices Administration (GSA) and its customer agencies to administer the careers of their\nFederal employees, provides a range of Human Resources (HR) services and information. The\nCHRIS system was based on the Oracle Federal HR commercial-off-the-shelf database product\nand the system has been customized for GSA and other Federal agency customers\xe2\x80\x99 use. CHRIS\nwas first deployed to HR offices through a client-server environment in August 2000. In\nDecember 2001, the Office of the Chief People Officer implemented new technology to provide\nbrowser-based access over GSA\'s network by bringing the application to the users\xe2\x80\x99 desktops. A\ntimeline of key events relating to CHRIS is provided in Appendix A-1.\n\nObjectives, Scope, and Methodology\n\nOur overall audit objectives were to determine whether: (1) GSA\xe2\x80\x99s CHRIS provides the needed\nfunctionality, security, and other controls for system operations to ensure the data\xe2\x80\x99s integrity and\nreliability; (2) the Office of the Chief People Officer (OCPO) has processes in place to improve\nsystem functionality and usability; and (3) CHRIS is financially beneficial to GSA. If not, what\nactions are needed to improve CHRIS? Our review focused on CHRIS project management,\nsystem and user requirements, security, system controls, and interfaces. We analyzed key\ndocumentation, including the Security Plan, Contingency Plan, Configuration Management Plan,\nUser Manual, data dictionary, and documentation for interfaces, certification and accreditation,\nand security testing and evaluation. We also assessed the original 1999 business plan for CHRIS,\nthe 2001 Gartner, Inc. pricing study, the 2001 Chief People Officer Technology Initiative, the 2003\nInternational Business Machines study of strategic alternatives for CHRIS, pilot efforts for\nadditional CHRIS modules; existing and planned system functionality; reconciliation of CHRIS\xe2\x80\x99\ncosts with Pegasys, GSA\xe2\x80\x99s financial system of record; and GSA operations as well as agreements\nwith other Federal agencies for their use of CHRIS. We met with key officials in the OCPO,\nincluding the OCPO\xe2\x80\x99s Chief Information Officer (CIO), system administrators, and security\nofficials. We interviewed system users in the National Capital Region, the Mid-Atlantic Region\n(Region 3), the Office of Inspector General Human Resources Offices, the Agency Liaison\nDivision in the National Capital Region, and the OCPO\xe2\x80\x99s Consolidated Processing Center in\nGSA\'s Heartland Region (Region 6). CHRIS was concurrently reviewed and incorporated in the\nFiscal Year (FY) 2004 review of GSA\xe2\x80\x99s Information Technology (IT) Security Program required\nby the Federal Information Security Management Act (FISMA). During the timeframes of this\naudit our office issued two separate reports on CHRIS security, with detailed results for our\nFISMA technical control tests for CHRIS: FY 2004 Office of Inspector General Information\nSecurity Review of the Comprehensive Human Resources Integrated System, Report Number\nA040179/O/T/F05006, dated January 11, 2005, and Security Vulnerabilities with the\nComprehensive Human Resources Integrated System (CHRIS) Oracle Database, Report Number\nA040142/O/T/F05021 dated July 20, 2005.\n\n\n\n                                                 1\n\x0cWe considered applicable regulations, policies, and guidance for HR systems, including: the\nGSA Information Technology Security Policy, CIO P 2100.1B, November 2004; Federal\nInformation Processing Standards (FIPS) Publication 199, Standards for Security Categorization\nof Federal Information and Information Systems, December 2003; Changes in GSA\nOrganization, ADM 5440.577, December 5, 2003; the GSA Privacy Act Program, CPO 1878.1,\nOctober 27, 2003; Conducting Privacy Impact Assessments in GSA, CPO 1878.2, May 28, 2004;\nthe GSA CIO\xe2\x80\x99s Capital Planning and IT Investment Guide, February 2000; the GSA CIO\xe2\x80\x99s\nOrder on GSA Information Technology (IT) Capital Planning and Investment Control, CIO\n2135.1, June 11, 2002; the GSA CIO\xe2\x80\x99s IT Capital Planning & Investment Control Guide, August\n2002; the Systems Development Life Cycle Policy Handbook, CIO P 2140.2, April 20, 2004; the\nGSA Office of the Chief People Officer\xe2\x80\x99s Human Capital Strategic Plan (2002-2007); the Chief\nHuman Capital Officers Act of 2002; the Federal Information Security Management Act of\n2002; the Office of Management and Budget (OMB) Circular A-130 with its Appendices III and\nIV, Revised November 30, 2000; OMB Circular A-127, revised July 23, 1993; the Joint\nFinancial Management Improvement Program\xe2\x80\x99s (JFMIP\xe2\x80\x99s) Human Resources and Payroll\nSystems Requirements, JFMIP SR-99-5, April 1999; the General Accounting Office\xe2\x80\x99s (GAO\xe2\x80\x99s2)\nHuman Resources and Payroll Systems Requirements: Checklist for Reviewing Systems Under\nthe Federal Financial Management Improvement Act, GAO/AIMD-00-21.2.3, March 2000;\nGAO\xe2\x80\x99s Federal Information System Controls Audit Manual (FISCAM), GAO/AIMD-12.19.6,\nJanuary 1999; the National Institute of Standards and Technology (NIST) Special Publication\n800-18, Guide for Developing Security Plans for Information Technology Systems, December\n1998; NIST Special Publication 800-64, Security Considerations in the Information System\nDevelopment Life Cycle, Revised June 2004; NIST Special Publication 800-30, Risk\nManagement Guide for Information Technology Systems, January 2002; NIST Special\nPublication 800-47, Security Guide for Interconnecting Information Technology Systems,\nAugust 2002; and the GSA CIO\xe2\x80\x99s IT procedural guides on certification and accreditation,\nsecurity test and evaluation, contingency and configuration management plans, risk assessments,\naccess control, password generation and protection, and security incident handling.\n\nWe performed our audit work in GSA\xe2\x80\x99s Central Office, the National Capital Region, the Mid-\nAtlantic Region (Region 3), and the Heartland Region (Region 6) between February 2004 and\nJanuary 2005 in accordance with generally accepted government auditing standards.\n\n\n\n\n2\n    Effective July 7, 2004, the GAO\xe2\x80\x99s legal name was changed to the Government Accountability Office.\n\n\n                                                         2\n\x0c                                           RESULTS OF AUDIT\n\nThe Comprehensive Human Resources Integrated System (CHRIS) was deployed by the Office of\nthe Chief People Officer (OCPO) to provide important online capabilities and improve human\nresources (HR) processes for the General Services Administration (GSA) and its Federal agency\ncustomers; however, current costs and benefits for the system need to be carefully considered given\nthe changing environment for Federal HR systems. Though the original intent for CHRIS was to\nprovide a comprehensive, integrated HR system, GSA\xe2\x80\x99s strategic efforts with the system have been\nimpeded by user reluctance to use the system and duplicative system functionality provided by other\nGSA systems. Some requirements for the HR system such as those established by the Joint\nFinancial Management Improvement Program (JFMIP) may not be fully realized with CHRIS and\nsince the system was introduced in August 2000 a post-implementation review to determine how\nwell the system is meeting user requirements has not been completed. With a changing\nenvironment driven by the Human Resources Information System (HRIS) component of e-\nGovernment, GSA has faced challenges in marketing CHRIS. The system currently has an\ninsufficient customer base and is not recovering costs or the revenue originally expected. CHRIS\nsystem lifecycle costs have also increased from an initial estimate of $34 million to an estimated\n$54 million through Fiscal Year (FY) 2006 without projecting a quantifiable recovery of\ninvestment. With ongoing decisions regarding the selection of HR Line of Business systems, GSA\nfaces critical decisions including whether to: (1) retain the system and expand the customer base to\noffset costs; (2) offer CHRIS as a service provider under HRIS; or (3) sell CHRIS and discontinue\nGSA\xe2\x80\x99s management role with the system. Several areas of system security risk that could lead to\nsystem vulnerabilities or unnecessary risk were assessed through our FY 2004 Federal Information\nSecurity Management Act (FISMA) audit and actions are needed to ensure that adequate system\ncontrols are in place and operating as intended. Key security components for CHRIS have not been\nfully addressed including the certification and accreditation of system controls and completion of\nrequired security documents. Background checks for contractors with access to CHRIS are also\nneeded. During our review we identified specific technical control vulnerabilities for the CHRIS\nOracle database that, if exploited, may compromise the confidentiality, integrity, and availability of\nthe system3. Taking steps to improve managerial, operational, and technical controls at this critical\njuncture will better ensure that GSA\xe2\x80\x99s strategic business objectives and all user needs are met with\nthe CHRIS system.\n\nSome System Requirements May Not Be Fully Realized with CHRIS\n\nAlthough CHRIS development staff is currently making strides by improving system\nfunctionality and usability and improving communication with its customers, the original intent\nof providing a comprehensive HR solution with CHRIS that would support and empower GSA\xe2\x80\x99s\nHR professionals, managers, and employees has not been fully realized. CHRIS has encountered\nuser dissatisfaction and system redundancy challenges, and some benchmark system\nrequirements established by JFMIP4 may not be met with CHRIS. Further, a post-\n\n\n\n3\n  Specific results for our review of the CHRIS Oracle database were provided separately to the OCPO on July 20,\n2005, due to the sensitive nature of the information reported.\n4\n  JFMIP\xe2\x80\x99s Human Resources and Payroll Systems Requirements, JFMIP SR-99-5, April 1999.\n\n\n                                                        3\n\x0cimplementation review has not been performed for CHRIS to ensure that it meets all GSA,\nexternal customer, and other requirements5 for Federal HR systems.\n\nWhile GSA was still using the legacy Personnel Information Resources System, the OCPO\nconsolidated its HR-related activities to the Consolidated Processing Center (CPC) in Kansas\nCity. The CHRIS Division Director stated that over the years, there has been a reluctance of the\nuser community to fully utilize CHRIS and to provide adequate requirements to the system\ndevelopment staff, specifically around screen layouts and business process definition. The\nOracle Federal HR solution, a commercial-off-the-shelf product that serves as the foundation for\nthe CHRIS application, was not stable or well suited for the GSA user community as delivered.\nCHRIS was originally designed to meet the needs of regional HR offices in a distributed\nenvironment and was deployed with interim reports and a cumbersome user interface. As a\nresult, CHRIS was initially met with dissatisfaction from the user community. Additionally, a\ndichotomy resulted since the intent of GSA\'s technical direction with CHRIS was to facilitate\nlocal transaction processing while the procedural direction was to perform HR transactions\ncentrally with the CPC. However, the technical and procedural direction did not meet the needs\nof all the regions. As a result, we found that at least one regional office developed Lotus Notes\napplications to provide reports, communicate employee change requests to the CPC, and create\nnew employee positions, in some cases bypassing HR functionality provided by CHRIS and\nsupplementing the system with alternative Lotus Notes solutions. While CHRIS has the\ntechnical capability to be a comprehensive integrated human resources system, the system\xe2\x80\x99s\nfunctional capabilities are duplicated in other GSA systems. Further, some modules that provide\nspecific HR functionality have not been implemented for CHRIS since the functionality exists in\nother GSA systems, including the Electronic Time and Attendance Management System,\nGSAJOBS, Thrift Savings Plan, and Employee Express.\n\nTo assess CHRIS capabilities in the area of system requirements, we relied on a checklist\ndeveloped by the Government Accountability Office for reviewing specific benchmarks\nestablished by JFMIP. The checklist describes sets of functionality necessary to support\nenterprise-wide lines of business and to reduce redundancy and increase effectiveness and\nefficiency. We used this checklist as a guide, but did not apply it to the GSA\xe2\x80\x99s entire human\nresources system nor did we determine whether CHRIS substantially complies with all\nrequirements for human resources systems. Our analysis found that some system requirements\nhave been met with the system and others have not been fully met. JFMIP requirements stress\nthe importance of electronic personnel files to reduce the operational burden of maintaining\npaper personnel files. However, according to one Regional Human Resources Division,\ndiscrepancies between the CHRIS database and paper employee files have lessened the degree of\nconfidence in CHRIS\xe2\x80\x99 data integrity. In an attempt to improve the integrity of data maintained\nby CHRIS, the OCPO implemented employee read-only web access on September 30, 2004.\n\nThe GSA Chief Information Officer\xe2\x80\x99s February 2000 Capital Planning and Information\nTechnology (IT) Investment Control Guide; June 2002 Order on IT Capital Planning and\nInvestment Control; August 2002 IT Capital Planning and Investment Control Guide; April 2004\n\n5\n On December 1, 2004 JFMIP responsibilities were transferred to the Chief Financial Officers Council and the\nOffice of Federal Financial Management (OFFM), and all system guidance issued by JFMIP is transferred to OFFM\nand remains in effect until modified.\n\n\n                                                      4\n\x0cSystem Development Life Cycle Policy Handbook, as well as the Office of Management and\nBudget\xe2\x80\x99s (OMB) November 2000 Circular A-130 with its Appendix IV all specify that a post-\nimplementation review of the system should be performed. The objectives of such a review\nshould include validating estimated benefits and costs, documenting effective management\npractices for broader use and lessons learned, and redesigning oversight mechanisms and\nperformance levels to incorporate acquired knowledge. According to the Director and a\nmanagement analyst in the CHRIS Division, a post-implementation review of CHRIS has not yet\nbeen carried out. Such a review would help GSA to better assess whether the system effectively\nand efficiently meets all user needs as well as JFMIP and HR system requirements, and would\nthus ensure long-term success for this very important system.\n\nExpected Benefits Not Realized for CHRIS Due to Insufficient Customer Base\n\nCHRIS has not yet realized an operating surplus from cross-servicing arrangements, nor reached\na break-even business volume. In 2001, Gartner Inc. reported that competing Federal HR\nprocessing providers were charging their customers between $98.35 to $165 per employee and\nrecommended that GSA establish an initial price point of $100 per employee. However, GSA\'s\nper employee operations and maintenance (O&M) costs for CHRIS for FY 2001 were $257,\nwhich prevented GSA from profiting at a competitive price near-term. Based on a growth\nestimate of 44,142 employees to be serviced through CHRIS by FY 2003, Gartner Inc. projected\na shortfall of less than $1 million in FY 2001 and $543,000 in FY 2002, with a surplus of\n$440,000 projected in FY 2003. However, as of FY 2005, CHRIS provided support for only\n12,820 GSA and 10,622 cross-serviced employees, and thus the system is well below the\nprojected customer base. The CHRIS system services the following external customers:\nNational Archives and Records Administration, National Credit Union Administration, the\nOffice of Personnel Management, the Railroad Retirement Board, the Export/Import Bank, and\nGSA\'s Agency Liaison Division that handles approximately 30 independent agencies,\nPresidential Boards, and Commissions throughout the government. GSA has not realized\nexpected benefits from CHRIS cross-servicing arrangements, since pricing is insufficient to\nrecover GSA\xe2\x80\x99s cost of providing HR services. Figure 1 conveys the actual annual cost for\nCHRIS per cross-serviced employee over a six-year period. The graph depicts annual employee\ncosts strictly for development, modernization, and enhancement (DM&E) for CHRIS as well for\nthe aggregate costs of DM&E, and operation and maintenance support with the system.\n\n\n\n\n                                              5\n\x0c                                      Figure 1: Annual CHRIS Costs Per Employee\n                                                                                Annual Development,\n            $275.00                                                             Modernization, and Enhancement\n                                                                                (DM&E) Cost per Employee\n            $250.00                                                             (24,000)\n                                                                                Annual Opearation and\n            $225.00                                                             Maintenance (O&M) Cost per\n                                                                                Employee (24,000)\n            $200.00\n                                                                                Total Annual (O&M and DM&E)\n            $175.00                                                             Cost per Employee (24,000)\n\n            $150.00\n  Dollars\n\n\n\n\n                                                                                Projected Annual DM&E Cost per\n            $125.00                                                             Employee (100,000)\n\n            $100.00\n                                                                                Projected Annual O&M Cost per\n             $75.00                                                             Employee (100,000)\n\n             $50.00\n                                                                                Projected Annual (O&M and\n             $25.00                                                             DM&E) Cost per Employee\n                                                                                (100,000)\n               $-\n                      FY 2003 FY 2004 FY 2005 FY 2006 FY 2007 FY 2008 FY 2009\n                                               Year\n\n\nThis cost data shows that the customer base for CHRIS has not grown as anticipated, or as\nneeded, to recover the investment for the system. CHRIS\xe2\x80\x99 external customers\xe2\x80\x99 fees have\nremained at $100 per employee, however, since these fees exclude offsetting collections,\nincluding Oracle licensing and support, GSA must subsidize the system expenses. For example,\nactual O&M costs for CHRIS for FY 2004 were approximately $151 per employee per year, so\nGSA essentially subsidized $51 per every cross-serviced employee for that fiscal year. Current\ncost per employee estimates are based on an approximate cross-serviced customer base of\n24,000. However, projected estimates are based on 100,000 cross-serviced employees.\n\nWithout projecting a quantifiable recovery of investment, CHRIS system lifecycle costs have\nalso increased from an initial estimate of $34 million to an estimated $54 million in FY 2006.\nFigure 2 depicts growing lifecycle cost estimates reported for CHRIS. However, because\navailable estimates do not include costs for development, modernization, and enhancement\nbeyond FY 2006, the actual cost of CHRIS could be higher than projected.\n\n\n\n\n                                                             6\n\x0c                                                               Figure 2: CHRIS Lifecycle Cost Analysis\n\n                           $60,000\n                                                                                                                     Annual DM&E Costs\n                           $55,000\n\n                           $50,000\n\n                           $45,000\n                                                                                                                     Annual O&M Costs\n  Dollars (in thousands)\n\n\n\n\n                           $40,000\n\n                           $35,000                                                                                   Annual Total Costs (DM&E and\n                                                                                                                     O&M)\n                           $30,000\n\n                           $25,000                                                                                   Cumulative DM&E Costs\n                           $20,000\n\n                           $15,000\n                                                                                                                     Cumulative O&M Costs\n                           $10,000\n\n                            $5,000\n                                                                                                                     Cumulative Investment (DM&E\n                              $-\n                                                                                                                     and O&M)\n                                     Through   FY 2003   FY 2004   FY 2005   FY 2006   FY 2007   FY 2008   FY 2009\n                                     FY 2002\n\n                                                                        Year\n\n\n\nAccording to the CHRIS Division Director, the low customer base has occurred, in part, because\nmarketing efforts have been restricted until the national standards for HR systems have been\nestablished. The changing environment for Federal HR systems has made it difficult for the OCPO\nto effectively market CHRIS to new customers. Current electronic Government (e-Gov) projects\ninclude one related to improving the Federal HR process by establishing easy to use, cost effective,\nstandardized, integrated, e-HR/Payroll services to support the mission and employees of the Federal\nGovernment. The Office of Personnel Management (OPM) was given lead responsibility for these\nprojects, and GSA is supporting this effort as a partner to OPM. The GSA payroll office was\nchosen by OPM/OMB as one of the four payroll service providers for the Executive Branch. The\noverall goal of these HR/Payroll e-Gov initiatives is to reduce the number of human resources and\npayroll systems in use throughout the Executive Branch. This requires an integration process with\nexisting HR processes that has already begun with payroll systems and for HR systems. OPM has\nrecently announced the new HRIS component of e-Government (HR Line of Business) initiative,\nand GSA intends to continue to be an HR service provider for other Federal agencies. However,\ndue to the alignment of the Federal agencies with the four payroll providers, GSA has acquired only\na few small agencies to provide payroll support, which could further limit the customer base for the\nsystem.\n\nThe OCPO has offered CHRIS, with its Oracle HR, to OMB as a possible system solution to be\ndelivered by service providers with the HR Line of Business. A thorough post-implementation\nreview is needed to document implementation experiences, recommend system enhancements, and\nprovide guidance for considering options for the CHRIS system. The OCPO continues to enhance\nCHRIS and plans to keep its existing software enhancement commitments, such as Oracle upgrades,\npatches, module activation, and minor fixes, scheduled in 2005 and 2006. GSA must decide\nwhether to: (1) keep the system and expand the customer base to offset costs; (2) offer CHRIS as a\nservice provider under HRIS; or (3) sell the system and discontinue GSA\xe2\x80\x99s management role with\nCHRIS. Regardless of whether CHRIS is selected as an application suitable for the HR Line of\n\n\n                                                                                         7\n\x0cBusiness, critical decisions regarding CHRIS operations should be addressed promptly to minimize\npotential financial losses.\n\nImproved System Security Controls Needed\n\nDuring this audit several weaknesses with CHRIS\xe2\x80\x99 security controls that could lead to system\nvulnerabilities or unnecessary risks were identified and have been previously brought to\nmanagement\xe2\x80\x99s attention for prompt correction. Our FY 2004 FISMA review6 identified specific\nsecurity weaknesses including results from system vulnerability scans. With FISMA we\nidentified specific risks for CHRIS, and since our review steps have been taken to address\nconcerns related to budgeting for security costs and tracking known security risks for CHRIS.\nHowever, although CHRIS security controls were conditionally certified by the Office of the\nChief Information Officer (OCIO) in February 2003, key security processes were not complete\nfor CHRIS. Four conditions stipulated with the CHRIS Certification and Accreditation (C&A)\nwere: (1) completion of the CHRIS Contingency Plan; (2) completion of the CHRIS\nConfiguration Management Plan; (3) correction or mitigation of the technical findings from the\nRisk Assessment and System Test and Evaluation Report; and (4) implementation of a formal\nauditing and monitoring program to detect problems and misuse of OCPO resources. These\nconditions have been reported by the OCPO as completed, but a final, unconditional\naccreditation letter has not been issued for CHRIS. Further, system security C&A documents\nthat we reviewed for CHRIS did not address all security controls as required by the GSA IT\nSecurity Program. At the time of our review, we found that background checks had not yet been\ncompleted for contractors hosting the system and providing system administration support to\nCHRIS before being granted access to the system. Finally, we also found that the CHRIS\ndatabase has a number of vulnerabilities that, if exploited, may compromise the confidentiality,\nintegrity and availability of the CHRIS system. Because CHRIS contains highly sensitive and\nvaluable information that may be exposed to undue risk, the OCPO should take additional steps\nto more comprehensively address the management, operational, and technical security controls\nfor the system.\n\nKey Components of Security Have Not Been Addressed with Certification and Accreditation of\nSystem Controls\n\nSeveral components of CHRIS security have not been addressed through the C&A process as\nrequired in the GSA IT Security Program and require management attention to manage the risks\nassociated with changing technology, system enhancement, the growth of malicious software,\nand other threats. The Accreditation letter for CHRIS stipulates continued operation with the\nfour conditions that were to be met no later than September 30, 2003: (1) completion of the\nCHRIS Contingency Plan; (2) completion of the CHRIS Configuration Management Plan; (3)\ncorrection or mitigation of the technical findings from the Risk Assessment and System Test and\nEvaluation Report; and (4) implementation of a formal auditing and monitoring program to\ndetect problems and misuse of OCPO resources. Although these conditions have been reported\nas met, a final, unconditional accreditation letter has not yet been issued. Further, we found that\nCHRIS security documentation did not always meet requirements. While a Contingency Plan\n\n6\n FY 2004 Office of Inspector General Information Security Review of the Comprehensive Human Resources\nIntegrated System, Report Number A040179/O/T/F05006, January 11, 2005.\n\n\n                                                     8\n\x0chad been completed for the system during our review, the Contingency Plan did not include\nprocedures and frequency for testing backup tapes, procedures for performing damage\nassessments, and procedures for terminating contingency operations. The system Risk\nAssessment did not include a business impact analysis or identify the system\xe2\x80\x99s mission,\nprocesses, and interfaces, and described controls that should be used rather than those that are\ncurrently in place. The CHRIS Security Plan did not address recommendations made in the\nsystem Risk Assessment and did not include procedures for system and application timeout\nhandling, review of database management system logs, external/internal handling of media, and\nuse of integrity verification programs to look for evidence of data tampering, errors, and\nomissions. CHRIS security officials have updated the system Security Plan to include\nprocedures for implementation of a formal auditing and monitoring program to detect problems\nand misuse of OCPO resources.\n\n[Sensitive information regarding Oracle features has been removed here.]\n\nAs a result, CHRIS and its sensitive and valuable information may be exposed to undue risk if\nthe OCPO does not take steps to more comprehensively address potential system threats and\nvulnerabilities and issue a final, unconditional certification and accreditation letter.\n\nBackground Checks for Contractors Not Completed\n\nContractors developing functional enhancements for CHRIS and providing routine maintenance\nsupport for the system have not received required background checks before being granted\naccess to the system and its sensitive data, as required by the GSA IT Security Policy. The\nCHRIS Security Plan identified that aggregate sensitivity for data is medium-high due to the\namount of private information located within the environment because employee access to and\nuse of CHRIS\xe2\x80\x99 data affects GSA\xe2\x80\x99s mission and operations. Further, efficiency of service and\nconfidentiality, integrity, and availability concerns remain that could impact HR activities.\nGSA\xe2\x80\x99s IT Security Policy requires that contractors who design, operate, test, maintain, and/or\nmonitor GSA systems shall be required to have at least a background investigation consisting of\na National Agency Check and Inquiries Credit before being granted access to GSA systems or\ndata. At the time of our review of CHRIS, one development contractor\'s background check had\nbeen resubmitted and two other contractors\' background checks had been requested but not\ncompleted. During the exit conference, the OCPO reported that the problem with background\nchecks for CHRIS contractor personnel has been addressed except for one newly hired\ncontractor, who has no access to the production system. The development contract for CHRIS\nrequires compliance with the Privacy Act "and applicable agency rules and regulations," but does\nnot specify a deadline for completion of background checks. Without required background\nchecks for CHRIS contractor personnel, compensating controls, such as criminal record checks,\nmonitoring of detailed audits logs, and obtaining the contractor\xe2\x80\x99s internal background\ninvestigation and employment history record, should be implemented.\n\nImprovements Needed in Oracle Database Security\n\nWe found specific vulnerabilities in the CHRIS database that, if exploited, may compromise the\nconfidentiality, integrity, and availability of the system. The CHRIS database contains sensitive\n\n\n\n                                               9\n\x0cpersonnel data, such as social security numbers, which could be used for identity theft if\ncompromised. An Oracle hardening guide was not in place to assist CHRIS database\nadministrators with guidance on the configuration of a secure Oracle database, until after our\nreview. In the absence of this guidance, our assessment was based on the recommendations of\nthe IT Governance Institute\'s Oracle Database Security, Audit and Control Features7.\n\n[Examples of vulnerabilities have been removed due to their sensitive nature.]\n\nCareful attention to these conditions is necessary to manage the risks associated with changing\ntechnology, system enhancement, the growth of malicious software, and other threats that\nCHRIS faces. Detailed information as to the specific results of our review of the CHRIS Oracle\ndatabase8 were provided to the OCPO separately due to the sensitive and technical nature of the\ninformation reported.\n\nRecommendations\n\nWe recommend that the GSA Chief People Officer:\n\n    (1) Conduct a post-implementation review in accordance with the Office of Management and\n        Budget\xe2\x80\x99s Circular A-130 and GSA\xe2\x80\x99s August 2002 IT Capital Planning And Investment\n        Guide, to:\n        a. Validate estimated benefits and costs for CHRIS;\n        b. Evaluate CHRIS to ensure positive return on investment; and\n        c. Ensure that the system meets organizational and user needs.\n\n    (2) Complete an alternatives analysis to fully consider the costs and benefits for the options\n        of:\n        a. Keeping the system and expanding the customer base to offset costs; or\n        b. Offering CHRIS as a service provider under HRIS; or\n        c. Selling the system and discontinuing GSA\xe2\x80\x99s management role with CHRIS.\n\n    (3) Ensure that adequate security controls are in place to manage risks with CHRIS by:\n        a. Completing the system certification and accreditation process for CHRIS including\n           updating required system security documentation.\n        b. Prioritizing necessary background checks for contractor staff as required by the GSA\n           IT Security Policy and implementing compensating controls until this process is\n           completed.\n        c. Carefully assessing the Oracle database vulnerabilities and applying technical\n           solutions to reduce associated risks.\n\n\n\n\n7\n  PriceWaterhouseCoopers, Inc. produced Oracle Database Security, Audit and Control Features, published by the\nIT Governance Institute in 2004, with assistance from many industry security experts.\n8\n  Security Vulnerabilities with the Comprehensive Human Resources Integrated System (CHRIS) Oracle Database,\nReport Number A040142/O/T/F05021, July 20, 2005.\n\n\n                                                      10\n\x0cManagement Response\n\nWe met with the Chief People Officer (CPO) and Office of the Chief People Officer (OCPO)\npersonnel to discuss the results of our review and to identify any areas in the draft report that\nmay require revisions. They generally concurred with the findings and two of the three\nrecommendations as presented in the report. Written comments provided by the CPO indicate\nthat OCPO will take actions aimed at addressing the identified areas of risk in the report.\nSpecifically, they identified ongoing or planned management actions toward: (1) conducting a\nformal post-implementation review for CHRIS to better assess whether the system effectively\nand efficiently meets user needs as well as JFMIP and HR system requirements, and (2)\ncontinuing to enhance CHRIS security controls including another system certification and\naccreditation and completing background checks on contractors.\n\nThe CPO did not agree with the recommendation to complete an alternatives analysis to fully\nconsider the costs and benefits for the options of: (1) keeping the system and expanding the\ncustomer base to offset costs; or (2) offering CHRIS as a service provider under HRIS; or (3)\nselling the system and discontinuing GSA\xe2\x80\x99s management role with CHRIS. The CPO stated \xe2\x80\x9can\nanalysis was completed in 2003 and in 2005 the Office of the CPO and the Office of the Chief\nFinancial Officer (CFO) decided that it would be in GSA\xe2\x80\x99s best interest to offer CHRIS and the\nPayroll Accounting Reporting (PAR) system, in combination, as the core of an HR Line of\nBusiness (LoB) Shared Service Center solution. A business case (OMB Exhibit 300) was\nsubmitted to OMB earlier this month as part of the FY 2007 budget formulation process. The\noffices of the CPO and CFO will work together to develop a more complete business model to\nsupport this plan.\xe2\x80\x9d While the decision to continue CHRIS as a service provider under HRIS is an\noption that we recommended be considered, a more complete business model should clarify how\nalternatives were considered.\n\nA copy of the management comments is provided in its entirety in Appendix B.\n\nInternal Controls\n\nAs discussed in the Objectives, Scope, and Methodology section of this report, our audit objectives\nwere to answer the following questions: (1) does GSA\xe2\x80\x99s CHRIS solution provide the needed\nfunctionality, security, and other controls for system operations to ensure the data\xe2\x80\x99s integrity and\nreliability; (2) does the OCPO have processes in place to improve system functionality and\nusability; (3) is CHRIS financially beneficial to GSA; and (4) if not, what actions are needed to\nimprove CHRIS? We focused our review on selected modules within CHRIS, management\ncontrols, operational controls, access controls, as well as the addition of new functionality within\nCHRIS. The Results of Audit and Recommendations sections of this report state in detail the need\nto strengthen specific managerial and technical controls with CHRIS. Our review did not include a\ndetailed analysis of all controls or capabilities within CHRIS or overall controls provided within the\nOCPO.\n\n\n\n\n                                                 11\n\x0c                  STRATEGIC CHALLENGES FOR\n                 GSA\xe2\x80\x99S COMPREHENSIVE HUMAN\n             RESOURCES INTEGRATED SYSTEM (CHRIS)\n               REPORT NUMBER A040142/O/T/F05025\n\n\n                KEY EVENTS IN CHRIS LIFECYCLE\n\n\n\nDate                 CHRIS Event\nSeptember 1, 1996    Investment in CHRIS Initiated.\nLate 1999            Business plan for CHRIS issued.\nAugust 2000          Phase 1 of CHRIS Implemented.\nOctober 12, 2001     Gartner study on pricing for CHRIS issued.\n\nDecember 17, 2001    Phase 2 of CHRIS Implemented.\nFebruary 2002        CHRIS was implemented for its Federal customer\n                     agencies.\nNovember 14, 2002    Access Control Directive for CHRIS issued.\nDecember 20, 2002    Risk Assessment for CHRIS issued.\nFebruary 20, 2003    System Security Plan for CHRIS issued.\nFebruary 20, 2003    System Test and Evaluation Report for CHRIS\n                     issued.\nFebruary 26, 2003    Security Certification and Accreditation for\n                     CHRIS issued.\nMarch 31, 2003       Contingency Plan for CHRIS released.\nJuly 29, 2003        Contingency Plan for CHRIS modified.\nSeptember 8, 2003    IBM study of CHRIS strategic options issued.\nJune 18, 2004        Patch Management Process document for CHRIS\n                     issued.\nSeptember 30, 2004   CHRIS Personal View now operational.\nNovember 20, 2004    Contingency Plan for CHRIS revised.\n\n\n\n\n                                 A-1\n\x0c       STRATEGIC CHALLENGES FOR\n      GSA\xe2\x80\x99S COMPREHENSIVE HUMAN\n  RESOURCES INTEGRATED SYSTEM (CHRIS)\n     REPORT NUMBER A040142/O/T/F05025\n\nGSA CPO\xe2\x80\x99s RESPONSE TO DRAFT AUDIT REPORT\n\n\n\n\n                  B-1\n\x0cB-2\n\x0cB-3\n\x0c                             STRATEGIC CHALLENGES FOR\n                            GSA\xe2\x80\x99S COMPREHENSIVE HUMAN\n                        RESOURCES INTEGRATED SYSTEM (CHRIS)\n                           REPORT NUMBER A040142/O/T/F05025\n\n                                   REPORT DISTRIBUTION\n\n                                                                                      Copies\n\nChief People Officer (C)                                                                3\n\nDirector, Office of Information Management, Office of the Chief People Officer (CI)     1\n\nDirector, CHRIS Division, Office of the Chief People Officer (CID)                      1\n\nChief Information Officer (I)                                                           2\n\nRegional Administrator (WA)                                                             1\n\nRegional Administrator (3A)                                                             1\n\nRegional Administrator (6A)                                                             1\n\nAudit Follow-up and Evaluation Branch (BECA)                                            1\n\nAssistant Inspector General for Auditing (JA and JAO)                                   2\n\nAdministration and Data Systems Staff (JAS)                                             1\n\nRegional Inspector General for Auditing (JA-W)                                          1\n\nAssistant Inspector General for Investigations (JI)                                     1\n\nRegional Inspector General for Investigations (JI-W)                                    1\n\nDeputy Assistant Inspector General for Finance and Administrative\n Audits (JA-F)                                                                          1\n\nDeputy Assistant Inspector General for Acquisition Audits (JA-A)                        1\n\n\n\n\n                                                 C-1\n\x0c'